Every Yii2 guide/tutorial that I have come across ignores the validation of GET parameters. I'm wondering why.
To give an example, take a look at this code:
public function actionView($id)
{
/* #var $model ActiveRecord */
$model = Model::findOne($id);
if ($model) {
return $this->render('view', ['model' => $model]);
} else {
throw new \yii\web\NotFoundHttpException();
}
}
I understand that if you pass invalid argument to findOne() method, it will just return null and nothing bad happens. But is this really the best practice? I have always tried to be very careful with user input and the way I see it, user input should be validated immediately before performing any operations such as DB calls. Even if it's GET data, not just POST data.
public function actionView($id)
{
/* #var $model yii\base\DynamicModel */
$model = DynamicModel::validateData(['id' => $id], [
'idValidation' => ['id', integer]
]);
if ($model->hasErrors()) {
throw new \yii\web\BadRequestHttpException();
}
/* #var $model yii\db\ActiveRecord */
$model = Model::findOne($id);
if ($model) {
return $this->render('view', ['model' => $model]);
} else {
throw new \yii\web\NotFoundHttpException();
}
}
What do you think? Is my approach reasonable or overkill and unnecessary?
If you're using action parameters, you don't need to validate this parameters again (unless you have specific reason for it, like closed dictionary of allowed values, but I guess this is not the case). If your action uses signature like actionView($id) Yii will ensure few things before further processing of action:
$_GET['id'] exist, so $id will never be null. If someone will try to call this action without id value in GET, he will get BadRequestHttpException exception without calling action.
$_GET['id'] is a scalar. It means that if someone will try to pass array as id, he will get BadRequestHttpException exception without calling action.
So at this point in action you may be sure that $id is string. This is enough for findOne() safety. Even if you expect integer and someone pass blablabla as $id, it does not matter - he will get NotFoundHttpException anyway since there is no record with blablabla as id (this is impossible - blablabla in not a valid integer) - there is no need for extra check here. So default examples generated by Gii or from Yii documentation are safe. So your approach is a overkill and it is completely unnecessary.
Situation may change when $id can be array, since array allows much more powerful syntax. You need to take extra attention when:
You're explicitly allowing array as action param: actionView(array $id).
You're not using action params and using $_GET params directly: $id = $_GET['id'] or $id = Yii::$app->request->get('id') - in these cases $id can be array even if you're expecting scalar.
In this case $id value may be quite surprising. For example attacker may pass multiple IDs even if you're expecting single ID. Or filter by specified field instead of primary key, by passing ['email' => 'user#example.com'] as a $id - users will be searched by email field (or any other) even if intention is to filter only by ID. In such cases you should validate this array to make sure that it contains only expected values.
In older version this also allows for SQL Injection, since columns names (keys in array) were not escaped (this is still valid for where()). See 2.0.15 release announcement with some explanation.
Related
I have 2 tables in the db (mysql), and between the 2 there is no classic relationship through keys or ids. The only way I could define relationship would be through attribute values. E.g. table wheel and car and certain wheels would match certain cars because of the size only. Can it be defined on DB level, and/or in yii2, and if yes, how?
In the relations I can add an onCondition(), but you have to define an attribute (???), too:
public function getWheels() {
return $this->hasMany(\app\models\Wheel::className(), ['???' => '???'])->onCondition(['<', 'wheelsize', $this->wheelsize]);
}
I could use a fake attribute and set it in all records like to 1, but it seems a little bit odd for me.
I find nothing on the web regarding this or maybe I'm just searching the wrong way, or maybe I'm trying something that's totally bad practice. Can you please point me to the right direction?
Hypothetically you can set an empty array as a link, but for security reasons (I think) the condition "0 = 1" is automatically added in the select.
I faced your own problem several times and the best solution I could find was to use ActiveQuery explicitly (similar to what happens for hasOne and hasMany):
public function getWheels() {
return new ActiveQuery(\app\models\Wheel::className(), [
'where' => 'my condition' // <--- inserte here your condition as string or array
'multiple' => true // true=hasMany, false=hasOne
// you can also add other configuration params (select, on condition, order by, ...
]);
}
This way you can get both the array and the ActiveQuery to add other conditions:
var_dump($model->wheels); // array of wheels objects
var_dump($model->getWheels()); // yii\db\ActiveQuery object
$model->getWheels()->andWhere(...); // customize active query
I don't think that you could achieve this through relation.
But there is a way to work around the limitation.
<?php
namespace app\models;
class Car extend \yii\db\ActiveRecord
{
/**
* #var \app\models\Wheel
*/
private $_wheels;
/**
* #return \app\models\Wheel[]
*/
public function getWheels()
{
if (!$this->_wheels) {
$this->_wheels = Wheel::find()
->where(['<', 'wheelsize', $this->wheelsize])
//->andWhere() customize your where here
->all();
}
return $this->_wheels;
}
}
Then you could access the wheels attribute just as relation does.
<?php
$car = Car::find(1);
$car->wheels;
Beware that this way does not support Eager Loading
I need to check if a model has been updated and what attributes have changed when saving.
I'm using dirtyAttributes and filter intval as the docs suggests.
The values are coming from an API and are type-cast as they come in, so in theory the filter is redundant.
Model rules
public function rules()
{
return [
[['contract_date', 'order_date'], 'integer'],
[['contract_date', 'order_date'], 'filter', 'filter' => 'intval'],
];
}
This is some of the code currently running:
// Add the changed status variables to the job log
$dirty_attributes = array_keys($model->dirtyAttributes);
if($model->save()) foreach ($dirty_attributes as $attribute)
{
$data[$attribute] = $model->getOldAttribute($attribute).' ('.gettype($model->getOldAttribute($attribute)).')'. ' => '. $model->$attribute.' ('.gettype($model->$attribute).')';
}
var_dump($data);
This produces:
["contract_date"]=>
string(44) "1559669638 (integer) => 1559669638 (integer)"
["order_date"]=>
string(44) "1559669638 (integer) => 1559669638 (integer)"
There is probably something obvious I'm missing, but I can understand what.
After saving model all "oldAttributes" are updated to store new values so comparing them like you do makes no sense. If you want to check which attributes have been changed after saving you can override afterSave() method in your model like:
public function afterSave($insert, $changedAttributes)
{
// $changedAttributes -> this is it
parent::afterSave(); // call parent to trigger event
}
or listen for ActiveRecord::EVENT_AFTER_INSERT / ActiveRecord::EVENT_AFTER_UPDATE event where this data is also passed.
In the official docs I read:
Do bear in mind that virtual fields cannot be used in finds. If you want them to be part of JSON or array representations of your entities, see Exposing Virtual Fields.
It's not clear to me if the second sentence is in someway related to the first one - say as a workaround to overcome the limitation - or they are completely independent.
I mean: if I expose a Virtual Field then may I use it in a find statement?
Is there a way to include a virtual field in a query? Here a real example:
ItemOrdersTable.php:
$this->setTable('item_orders');
$this->setDisplayField('summary'); // virtual field
$this->setPrimaryKey('id');
Entity:
protected $_virtual = [
'summary'
];
protected function _getSummary()
{
return $this->name . ' ' . $this->description;
}
Usage in a Controller:
return TableRegistry::get('itemOrders')->find('list')->where(['order_id' => $id]);
Because I specified 'summary' as DisplayField, I'm expecting a key-value list of all records that meet the where clause, with the id as key and the summary virtual field as value. Because this doesn't happen (the returned object is null) I'm trying to understand if my code is wrong or I didn't read correctly the documentation as asked above.
Customize Key-Value Output:
https://book.cakephp.org/3.0/en/orm/retrieving-data-and-resultsets.html#customize-key-value-output
Update:
$results = TableRegistry::getTableLocator()->get('item_orders')
->find('list')
->where(['order_id' => $id]);
debug($results->toArray());
$this->set('orders', $results);
debug($orders); exit; <-- test results, and post in your question.
Everytime i try attempt to update a row i receive an error which says "something is required". In codeigniter you can update rows without the need to set everything to null in the mysql tabel settings.
I just want to update one value not the entire row.
Is this possible?
if ($users->save() == false) {
echo "Umh, We can't update the user right now: \n";
foreach ($users->getMessages() as $message) {
echo $message, "<br>";
}
$this->flash->error("Error in updating information.");
$this->response->redirect('user/profile');
} else {
echo "Great, a new robot was saved successfully!";
$this->flash->success("Member has been updaed successfully.");
//$this->response->redirect('user/profile');
}
Your isseue happens because you have already filled table and not yet properly defined model. Phalcon is validating all fo model data BEFORE trying to save it. If you define your model with all defaults, skips etc. properly, updates will be fired on single columns as you wish.
If you have definitions, that does not allow nulls, but you need an empty or default value there anyway, you may want to use 'beforeCreate' actions in model implementations. Also if there are things with defaults to set on first insert, you may wanto to use skipAttributes method.
More information is in documentation: Working with Models. So far best bit over internet I've found.
Also, below is an example for nullable email column and NOT NULL DEFAULT '0' 'skipped' column from my working code:
public function initialize() {
$this->skipAttributesOnCreate(['skipped']);
}
public function validation()
{
if($this->email !== null) {
$this->validate(
new Email(
array(
'field' => 'email',
'required' => true,
)
)
);
if ($this->validationHasFailed() == true) {
return false;
}
}
}
You do want errors of "something is required". All you're missing are just proper implementations of defaults over models. Once you get used to those mechanics, you should find them easy to handle and with more pros than cons.
What you are doing is called an insert. To set a column to a different value in a pre-existing row is called an update.
The latter is flexible, the former in not.
I highly recommend not treating a database like this is what i feel like
Put all the data in. Null is your enemy
The validation on Kohana ORM is done using rules
function rules()
{
return array(
'username' => array(
array('not_empty'),
array(array($this, 'availability')),
)
);
}
I'm struggling to validate a JSON encoded column using $_serialize_columns.
class Model_Admin extends ORM {
protected $_belongs_to = array();
protected $_has_many = array(
'plans' => array(),
'groups' => array(),
'transactions' => array(),
'logins' => array()
);
protected $_serialize_columns = array('data');
/**
* #param array $data
* #param Validation $validation
*
* #return bool
*/
public function data($data, $validation)
{
return
Validation::factory(json_decode($data, TRUE))
// ... rules ...
->check();
}
public function rules()
{
return array(
'data' => array(
array(array($this, 'data'), array(':value',':validation')
)
);
}
}
the array that gets encoded is:
array(
'name' => '',
'address' => '',
'phone' => '',
'postalcode' => ''
);
the data method receives the json encoded data, because the ORM runs the filters before doing the validation, so I need to convert it back to an associative array, then create a new validation object to check specifically for the content of that array. Because I can't merge Validation rules from another Validation instance
Updated Answer
The use of a second validation object is necessary since save() causes the internal model validation object to be checked. This means that rules added to the validation object being checked from a validation rule will be ignored (Validation->check() imports the rules into local scope before looping).
Since the data itself is technically another object (in the sense of object relationships, it has its own dataset that needs validation) the ideal solution would be to find a way to create a real model that saves the data.
There are numerous other benefits to saving data with proper database column definitions, not least if you need to perform data property lookups, make in-situ changes etc. (which would otherwise require unserializing the data column, potetnailly in all rows).
There are some alternatives, but they feel like kludges to me:
Create a model that represents the data object and add rules to it, using check() to validate the data (problem: will require a lot of maintenance, no real-world table means columns must be manually defined).
Set the data as real columns in the Admin model, and use a filter that will convert it into the data column on set (problem: again, must manually define the columns and exclude the additional columns from the save operation).
I hope this is of some use.
Original Answer
The Kohana ORM save() method permits the inclusion of an "extra" validation object, which is merged into the main ORM validation object namespace.
This is documented briefly here.
If I have understood correctly, I think you are looking to do something like this:
// another script, e.g., a controller
// Create the model
$admin = ORM::factory('Admin');
// $data = the data as an array, before serialization ...
$extra_validation = Validation::factory($data)
// add ->rule() calls here, but DO NOT chain ->check()
;
// Set $data in the model if it is going to be saved, e.g., $admin->data = $data;
// Set other data... e.g., $admin->foo = 'bar';
// Save the model
try {
$admin->save($extra_validation);
}
catch (ORM_Validation_Exception $e)
{
// Manipulate the exception result
}
While in this example you must still create another validation object, you are now able to catch all exceptions in a single block. I would recommend using var_dump() or similar on $e->errors() to check the namespace if you are using i18n messages to provide a human-readable error message. You should find that a namespace called "_external" has been created in the response.